Garante per la protezione dei dati personali (Italy) - 9828901
|Garante per la protezione dei dati personali - 9828901|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 3(2)(a) GDPR|
Article 5(1)(a) GDPR
Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 6 GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 13(1)(a) GDPR
Article 14 GDPR
Article 27(4) GDPR
Article 32 GDPR
Article 35(3)(a) GDPR
Article 58(2)(d) GDPR
Article 58(2)(f) GDPR
|Parties:||Alpha Exploration Co. Inc.|
|National Case Number/Name:||9828901|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la protezione dei dati personali (in IT)|
The Italian DPA fined Alpha Exploration €2,000,000 for operating the Clubhouse social network in violation of the GDPR provisions on lawfulness and transparency, for failing to assess the risks arising from the processing and for appointing an EU representative without the required mandate to act on behalf of the controller.
English Summary[edit | edit source]
Facts[edit | edit source]
Since 2020, the US company Alpha Exploration Co. Inc. (the controller), has offered and operated the social network Clubhouse. The social network is based exclusively on voice interactions that take place in conversation rooms. Users can choose to open a thematic room or enter another person's room as a listener. From January 2022, using the platform's new features Clips & Replays, users can (i) store and record also part of the conversations on the platform and (ii) share the same recordings with third parties. On the basis of profiling activities, Clubhouse allows other users to find people who may have a common interest or connection. In addition, Clubhouse collects contact data from the address book of its users' devices. This collection would allow users to connect with people they know, and to invite friends to join them on Clubhouse.
Following press reports that revealed the existence of several problems with the way personal data were processed by the controller, the Italian DPA opened an ex officio investigation. The DPA also received a report highlighting a number of critical issues of Clubhouse relating to security, the exercise of data subjects’ rights, the lack of an EU representative, profiling activities, and the retention of personal data. On the basis of the information gathered, the DPA informed the controller a number of violations that the DPA had found following a first assessment on the matter.
Holding[edit | edit source]
The DPA started by considering whether it was competent to make a decision regarding the controller's processing activities. The DPA considered that the conditions for applicability of the GDPR set out in Article 3(2)(a) GDPR were met since the controller offered its services to data subjects in the EU. The DPA claimed jurisdiction on the basis of Article 55(1) GDPR because Clubhouse (i) was operated by a company that had no establishment in the EU and (ii) constituted cross-border processing of personal data within the meaning of Article 4(1)(23) GDPR because it affected data subjects in more than one Member State.
Following the closure of the investigation, the DPA considered that the controller committed the following violations in the context of the provision of the Clubhouse service. The DPA found a violation of Articles 5(1)(a), 6 and 7 GDPR for processing carried out for the purposes of marketing, profiling, profile sharing, and audio recording in the absence of an appropriate legal basis.
With regard to the processing carried out by means of the Clips & Replays function, on the basis of allegedly being necessary for the performance of a contract, the DPA indicated that the terms of service needed to be updated to make the processing more transparent. Indeed, the terms of service did not mention the Clips & Replays function.
According to the terms of service, Clubhouse would indiscriminately record every conversation in every room on the basis of its legitimate interest in 'monitoring' possible violations of its guidelines. The DPA declared this processing unlawful because it was carried out in the absence of an appropriate legal basis under Article 6 GDPR. Contrary to the controller's contention, the processing could not be justified on the basis of legitimate interest because it would have entailed widespread and pervasive monitoring, and thus be disproportionate.
The DPA also declared unlawful the processing for profiling purposes, justified by the controller with the need to execute the contract. According to the DPA, the user would in fact have been able to use the service even without submitting any information in addition to that required for the creation of the account and without allowing the controller to carry out further processing regarding the manner of their interactions with the platform.
The DPA established a violation of Article 13 GDPR in that the controller did not provide, until 4 August 2021, information about the processing, and a violation of Articles 5(1)(a) and 12(1) GDPR, for having rendered, after 4 August 2021, a privacy notice lacking the requirements of clarity, transparency and comprehensibility.
The DPA also found a violation of Article 14 GDPR because the controller failed to provide non-users with information on the processing of their telephone numbers in the event that the user decided to synchronise their contacts on the Clubhouse platform. The DPA instructed the controller to include a link to a specific policy in the text of any invitation sent to non-users to join the community.
The DPA also confirmed that Articles 5(1)(e) and 13 GDPR had been infringed because the controller did not provide sufficient information about the data retention periods for the specific purposes pursued. According to the DPA, it was also unclear that the audio files created with the Clips & Replays function would be retained until the possible termination of the account by the user who generated them, unless the user requested their deletion.
With regard to the representative in the EU appointed by the controller, the DPA established a breach of Article 13(1)(a) GDPR for not having duly indicated the representative's contact details. The representative is not a mediator or facilitator but, as specified in Recital 80 GDPR, the person who acts on behalf of the controller with regard to the GDPR obligations. The DPA held that the role of the representative was too ambigious byt not indicating that it actually had the mandate to act on behalf of the controller, violating Article 27(4) GDPR.
The DPA confirmed that the controller violated Article 35 GDPR for not having carried out a DPIA despite the fact that the processing activities performed fell within the types of processing that require an impact assessment, given that they took the form of profiling users on the basis of their preferences and that the data processed could also include those of minors.
In conclusion, the DPA imposed a series of corrective measures on the controller, pursuant to Article 58(2)(d) GDPR, ordering the controller to bring its processing activities in line with the GDPR. The DPA also imposed an administrative fine of €2,000,000 on the controller for the violation of multiple GDPR provisions, as discussed above.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.